A container that stores several encrypted keys is known as a PEM file which can be used for different purposes. Multiple certificates are added to the PEM file to create a trust chain that authenticates the website for transferring the data securely. A PEM avoids stealing or hacking the data from the website.
This write-up will guide you about the PEM file with this supporting content:
- What is a PEM File?
- How to Create a PEM File?
- How to Use a PEM File?
- Use PEM with Entire SSL Certificate
- Use PEM with Private Key
What is a PEM File?
A PEM (short for Privacy Enhanced Mail) file was created for transferring email securely, but now it has evolved to become an internet security standard. The PEM file is a container for the concatenated certificate files where several certificate files are combined to export and import as a single file.
A single PEM file contains multiple certificate file information in base64 encoded form. In contrast, these certificates usually include the private key, primary SSL certificate, and other Certificate Authority (CA) certificates to form a trust chain to authenticate a website.
A PEM file message is securely transferred from the sender end to the receiver in encrypted form, where the binary code is encrypted to the base64, an ASCII form of data. The PEM files can be used in extensions such as KEY for private or public keys and CRT or CER for certificates.
Two types of PEM files are commonly used that are:
Key.pem: It contains the private or public encryption key.
Cert.pem: It contains the certificate information only.
The PEM files are similar to DEM files which are commonly used in Windows and use binary data. But the PEM files are used in Unix-based OS and store the data in base64 encoded text.
How to Create a PEM File?
A PEM key can be used in different formats, such as .key, .crt, or .cer. We must create a PEM file by adding several certificates to use the PEM file.
To create a PEM file, the below basic syntax is followed:
A PEM key starts with the BEGIN header tag, which gives the idea about the key:
The key information is added between starting and ending tags in base64 encoded form which is an ASCII representation of the binary code.
<base64 encoded code>
A PEM file ends with the END tag as shown below:
For example, the general structure of the public PEM key can be in the below syntax. This starts with the “BEGIN RSA PUBLIC KEY” tag that provides information about the key that it’s a public key. Then, its body contains base64 data for the public key and ends with the END tag:
----BEGIN RSA PUBLIC KEY---- <body base64 code> ----END RSA PUBLIC KEY----
Similarly, the private key is commonly enclosed in below starting and closing tags:
----BEGIN RSA PRIVATE KEY---- <body base64 code> ----END RSA PRIVATE KEY----
How to Use a PEM File?
A PEM file can be used with web browsers like Ngnix or Apache, which may contain several certificates.
Use PEM with Entire SSL Certificate
A PEM file can be used entirely with the SSL certificate like the below PEM file contains three SSL certificates primary, intermediate, and root certificates:
----BEGIN CERTIFICATE---- <Primary SSL Certificate Text> ----END CERTIFICATE---- ----BEGIN CERTIFICATE---- <Intermediate CA Certificate Text> ----END CERTIFICATE---- ----BEGIN CERTIFICATE---- <Root Certificate Text> ----END CERTIFICATE----
- Primary SSL Certificate Text: It includes a “domain-name.crt” certificate.
- Intermediate Certificate: It includes the “DigiCertCA.crt” certificate.
- Root Certificate: It includes the “TrustedRoot.crt” certificate.
After adding SSL certificate details to the file, save it as a “domain-name.pem” file, and now the file is ready to export.
Use PEM with Private Key
To use a private key in a PEM file, we can add the RSA private key file at the top of the SSL-create PEM file as shown below:
-----BEGIN RSA PRIVATE KEY----- (Private Key) -----END RSA PRIVATE KEY----- ----BEGIN CERTIFICATE---- <Primary SSL Certificate Text> ----END CERTIFICATE---- ----BEGIN CERTIFICATE---- <Intermediate Certificate Text> ----END CERTIFICATE---- ----BEGIN CERTIFICATE---- <Root Certificate Text> ----END CERTIFICATE----
After adding the data, save the file as a domain name.pem file and it is ready for use.
Now, the PEM file will be given to the SSL provider for adding security to your web browser. For instance, the Lets Encrypt “certbot” will generate the following certificates:
privkey.pem fullchain.pem chain.pem cert.pem
Every PEM file stores encoded information to secure the web browser:
- privkey.pem: It’s a private key for the user.
- fullchain.pem: It includes both “privkey.pem” and “chain.pem” files which are passed to the web browser along with an SSL certificate.
- chain.pem: It’s used as the root certificate.
- cert.pem: It’s a user-specified certificate.
These certificates will be passed as parameters to the web browser, such as Ngnix or Apache, to use as your certificate, allowing you to transfer the data securely. For Apache, first, turn ON the SSL. Then you must specify the SSLCertificateFile (fullchain.pem) and the SSLCertificateKyFile (privkey.pem) as shown below:
SSLCertificateFile /etc/letsencrypt/live/yourdomain/fullchain.pem #fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain/privkey.pem #privkey.pem
Similarly, for the Nginx web server, you can add the ssl_certificate (fullchain.pem) and ssl_certificate_key (privkey.pem) with the following syntax:
ssl_certificate /etc/letsencrypt/live/yourdomain/fullchain.pem; #fullchain.pem ssl_certificate_key /etc/letsencrypt/live/yourdomain/privkey.pem; #privkey.pem
Use PEM File via SSH
To use the PEM file with SSH, you must use the PEM file instead of the previous id_rsa key, whose syntax is as follows:
$ sudo ssh -i <key-file-name>.pem <host-name>@<ip-address>
- key-file-name: Replace it with the PEM file name.
- host-name: Replace it with your desired hostname.
- ip-address: Replace it with your IP address.
You will be signed in to the server with the new PEM key. Remember that, following this method, you need to add the above command every time you log in to the web server.
Another easier way is to add this private key to the SSH system keychain using the below “ssh-add” command:
$ ssh-add keyfile.pem
Alternatively, you can add the PEM key to the SSH authorized_keys list only once, using the below command:
This will add your key to the SSH-authorized key, and you will not have to add your key every time you log in.
The PEM file is a container of several encrypted base64 code certificates used as internet security for data transmission. A PEM file normally contains primary SSL, intermediate CA, and root certificates, which can be used with SSL or SSH to share the data files over the web browser securely.
Adding the PEM file to SSL, only the receiver and sender can see the shared information sent via the web browsers. Moreover, you can add the PEM keys to the SSH-authorized_keys to use these keys automatically.